I am sure that most of you will now have seen that ISO 22301 has been published this week.  This standard is a requirements standard against which you can achieve accredited certification as you could with BS25999-2.  Of course, the standard can be used to simply inform your own programme and report to customers, management and other interested parties without going through certification. ISO 22301 simply tells you what you must achieve, not how to do it.

ISO 22313 will provide more detailed guidance and should be published next year.  

Those who are already certified to BS25999-2 will be able to transistion to ISO 22301 and these arrangements will become clear shortly.  Those who are already going through certification to BS25999-2 will also be able to transition to ISO 22301, there is no need to re-start the process.

ISO 22301 covers much the same ground as BS25999 and requires that organizations develop a management system and undertake all of the conventional business continuity stages, including BIA, risk assessment, developing a strategy, implementing solutions and plans, exercising and testing.  There are some differences, it is more specific around warning and communication and dealing with the initial stages of incident response; and there is a need for performance metrics - i.e. measures to determine how effectively business continuity is being managed.

BS25999-2 will be withdrawn in November and the UK is adopting ISO22301 as its replacement.  Norway, Sweden, South Africa and Thailand have already announced that they are adopting it and we can expect to see more national standards bodies around the world adopting ISO22301 as their recognised standard.  As such, the influence of ISO 22301 will be world wide and represents a major step forward in imporving societal resilience.

The standard that will introduce a business continuity management standard at international level for the first time, ISO22301, is moving closer to final publication.  After some hiccups and disagreements within the committee responsible, a meeting in Beijing has finally resolved to move forward to Final Draft International Standard (FDIS).

The secretary has to submit this to the International Standards Organisation (ISO) in Geneva and there are then some administrative activities leading to publication of the FDIS.  This does not usually take very long but at the previous stage there was a delay of some weeks before official publication. The FDIS stage itself then requires a 2 month consultation period where comments may be submitted, however only minor changes can be made at this time.

Once these comments have been dealt with and whatever changes agreed and made, the final document is published.  So we might consider that publication of the FDIS will take place at the end of the year, the 2 months consultation will complete by the end of February, further consideration and publication is therefore liable to be in Q2 2012.

So for countries with no existing national standard, they can adopt the ISO immediately.  For those that have existing standards it is slightly more complicated.  In the UK we must consider what happens to BS25999-2. We have a working presumption that this will be withdrawn, however BS25999 is in use and companies have existing certifications, and it is written into US legislation.  So exactly when BS25999-2 is withdrawn has still to be discussed and formally agreed. 

We also need to consider whether BS25999-1 should be withdrawn in consequence: the guidance to accompany 22301 (ISO 22313) is following close behind but is not yet published so again there is a question of timing, and indeed there is a question of whether the UK wishes to retain BS25999-1 in some form, perhaps through updating and evolution incorporating key points from the various PDs and PAS200 that have been published since.  So the future of this has also still to be formally decided.

Companies with existing certifications will be able to migrate to ISO 22301 certification and there is an established process for this.  However, it is clear that we will all need more information about the detail of this and now that we have some certainty of progression to publication, this is discussion that can be opened with the relevant organisations.

ISO22301 has been updated following extensive feedback on the DIS and deliberations in Berlin.  It is now in preparation for circulation to the ISO Working Group and then for the full committee, seeking approval to proceed to FDIS.  Providing these hurdles are passed we should see an FDIS before the end of the year.

ISO22313 is aimed at providing guidance linked to ISO22301.  It is the equivalent of BS25999-1 but this time the 2 documents have been written in parrallel and should therefore closely reflect each other.  ISO22313 is now at a similar stage, waiting to be circulated for approval to proceed to DIS.

We are therefore getting closer to the day when there will be an International Standard for business continuity management. Feedback has been largely positive to date and publication and adoption will surely be an important step forward in improving organisation's ability to prepare for and respond to disasters of all forms. 

I am frequently asked about the future of BS25999.  Is it being re-written? Is it being withdrawn?  Is it worth waiting for an ISO equivalent?  Let me try to deal with these points in order to clarify.

The committee that deals with British Standards on business continuity is BCM/1.  It is normal for a standard to be revised after 3 years or so in the market place and therefore the committee has been periodically reviewing the feedback on both parts 1 and 2, collating these points and considering what to do and when to do it.  A point has been forcibly made that revision, or even rumours of revision, may confuse the market and consequently the committee has continued to collate material relating to changes that we might make but had not yet determined what was to be done.

In the summer it was decided to start to act upon the material gathered, and in particular to begin to address the areas of mismatch between parts 1 and 2.  Some work has started but it is not at all clear when this might take effect as the revision process would certainly take some time.

I have written in this blog previously about the development at International level of a standard in this same space.  ISO is the International Standards Organisation and businesses operating across multiple countries have expressed a desire to have a single standard that can be applied.  ISO22301 is being developed and aims to be that standard.  It has significant UK input but it is not the UK's document.  Significant contributions have been made by Singapore, the USA, Australia, Japan, Denmark and others as well as a need to adopt some ISO standard words and structure.  The UK committee now has to consider whether this document covers the same ground as BS25999 and whether that would warrant the withdrawal of BS25999 altogether.

Once again I stress that no decisions have been made.  If ISO22301 fully addresses all of the areas of BS25999-2 then it would be sensible to withdraw the UK document. If ISO22301 is significantly different to BS25999 then the UK document would remain and be revised in the normal way.  The difficulty may arise if ISO22301 is very close to BS25999 but fails to adequately address some area or areas that the UK committee feels to be fundamental sticking points.  As ISO22301 is now entering its first stage of major public consultation - known as DIS in ISO speak for Draft International Standard - the UK committee are reviewing the content in detail to compare the draft ISO with the current BS25999-2 so that we can determine our position and provide input to the ISO committee to include areas that meet UK requirements.

This is a long process.  The DIS stage takes 5 months and at the end of that the ISO committee must resolve all of the comments received from around the world.  This takes considerable time and then the resultant document must be reviewed by the committee and the next step determined.  This could be to proceed to a further round of public consultation, or to move towards publication.  Those organisations who are considering certification should appreciate that the establishment of accredited auditors would then take some further time following publication.  At the most optimistic we might be looking at 18 months before certification against ISO22301 might be possible.

Those who are considering certification against BS25999 should not wait upon ISO. Assuming that the ISO is fully compatible with BS25999 then transition should be reasonably straight forward and achievable and accredited auditors will have mechanisms to update the certification of existing organisations.  Until the analysis is done regarding the ISO - and this has started already - the updating of BS25999 remains a background task.  We will know more in a month or so and BCM/1 will be seeking to propagate information and seek views as appropriate.

An indication of what the future might hold is to highlight what is occurring with BS25777.  This was developed by the same BCM/1 committee and replaced PAS77, bringing IT thinking into line with BS25999.  The excellent work on this has been carried forward to international level where ISO27031 was in development.  A comparison has been undertaken between the nearly completed ISO document and BS25777 and the committee agreed that all of the core thinking of BS25777 is now reflected in ISO27031 and subject to ISO27031 passing its final vote, BS25777 will be withdrawn on publication of the ISO standard.  In principle this is exactly what should happen to BS25999 but only if we are all satisfied that the ISO fully meets UK requirements, and as I said, this is not yet determined.